How to setup AWS generated SSL certificate usage for Elasticsearch and Kibana in Elastic Cloud Enterprise clusters

RamanV · February 19, 2020, 10:57am

Hello,
I have an SSL certificate from AWS Certificate Manager which is attached for corresponding ports on LoadBalancer, that forwards traffic to Elasticsearch and KIbana in ECE cluster. But SSL connection is not working since Elasticsearch and Kibana have their own SSL certificates by default.
How to setup AWS generated SSL certificate usage for Elasticsearch and Kibana in Elastic Cloud Enterprise clusters.
Have tried https://www.elastic.co/guide/en/cloud-enterprise/2.4/ece-manage-certificates.html, but it is not working.

Alex_Piggott · February 19, 2020, 2:53pm

Hi @RamanV

Can you clarify exactly what problem you're having? Eg what error, what the config is?

Normally if you set up the LB with your own cert, it should be possible to hit 9243 using the ECE default self-signed cert (which you can replace with your cert as per the link you posted if you want to, but you don't have to unless the LB is configured to require a known CA)

So what you're doing sounds totally sensible, if it's failing, it's likely to be a tricky detail somewhere

Alex

RamanV · February 20, 2020, 12:29pm

Hi @Alex_Piggott,
thank you for reply.
I have an ECE cluster deployed in AWS.
I have a Route53 record for cluster which forwards requests to LB.
There are 2 records domain.com and *.domain.com (names are for example).
There is AWS SSL certificate published for *.domain.com with corresponding CNAME record.
LB itself has listeners configured for following ports:

.
I can reach Cloud UI url https://domain.com:12443.
But can not reach Elasticsearch and Kibana URLs inside deployments: like https://4394ef8c27dc4caf82142e724a0a2a2e.domain.com:9243/. There is just a connection time out. And SSL certificate is not detected in browser.
At the same time I can reach Elasticsearch and Kibana vi HTTP: http://4394ef8c27dc4caf82142e724a0a2a2e.domain.com:9200/.
Via Cloud UI in Plarform->Settings->TLS certificates there are SSL certificates chains generated during ECE installation.
Please help to solve an issue with HTTPS connectivirty to Elasticsearch and Kibana.

Alex_Piggott · February 20, 2020, 3:03pm

Interesting ... a couple of things to check:

Do you definitely have a proxy role on the instance(s) to which the LB is pointing
(what health checks, if any, do have set up?)
Can you verify that your security groups and iptables allow 9243

This statement And SSL certificate is not detected in browser I would guess to be either a red herring (it's just how the LB happens to handle not being able to hit the next hop), or would indicate a problem with the wildcard cert

My guess is still that it's a network related issue though

system · March 5, 2020, 3:10pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.